Extension Chrome not working

Comments

I would still recommend checking 1Password 7 out just because 1Password 4 isn't being worked on any more. We will still offer technical support but as time goes on the answer may be it just can't work with x or y any more. You're certainly not forced to update though, it's just something I would recommend users consider, see if the work that has gone into 1Password 7 is something they'd like to use

I updated Chrome today and got the same issue as @aguyngueran where clicking on the 1Password button does nothing. So will 1Password 4 no longer work with Chrome without disabling the browser code signature check, or will an eventual update to the plugin help with that?

@bluon, it isn't the extension so an update to it won't help, the native application contains a hardcoded list of known code signatures and Chrome's has changed since 1Password 4 was last worked on. You are correct in your understanding that disabling the check entirely is the only way to get things to work with 1Password 4. There will be no more updates to 1Password 4 which is why I would recommend any 1Password 4 user to consider upgrading. My hope is all of our existing 1Password 4 have found it value for money so far and will like all the work that has gone into 1Password 7.

@ShadowFM, this thread relates only to Chrome and 1Password for Windows, we will reply to your thread to keep the topics separate.

I'm not so sure I would wan't to spend $3 per month on an annual plan for the very few updates I would need, I rather pay more when I need to update it than to have a subscription than runs forever.

I got a bundle package 4 or 5 years ago, windows/mac including the extras in the ios app and it cost me 2 years of "subscription" fee and here I am using the same version working fine except for the chrome extension,

and I'm still not convinced that paying 3 years of membership is worth the price for me so I guess its goodbye using the extension in chrome simple as that.

1Password 7 for both Mac and Windows do still support licences if you're not convinced by our 1Password accounts and in the end all you can do is make the best decision for you, if remaining with 1Password 4 for Windows is what you wish to do that is your choice to make.

A small clarification though, if you have the Pro features in 1Password for iOS it was either from a separate purchase of 1Password 4 for iOS or the in-app purchase at a later point. We have never had a bundle that includes either Android or iOS as the various stores don't allow for it. The use of the centralised server for the 1Password accounts mean this is the first time we could have it where we can activate all the clients which is one benefit to the 1Password account, you can use as many devices on as many supported platforms as you have.

yes I got the pro Ios features as an in app purchase, still the combined (Bundle and ios pro features) price was alot less than the 1password 7 deal considering that I've used it for 4 years now.

like I said I'm still thinking if it is worth getting it for chrome compatibility, it is over time alot more expensive and I preferr to only get the updates that I need rather for the sake of updates being available that implements features that I really can't be bothered with.

But I guess that this is how the business model looks like now (not yours alone), enforcing updates and features that very few loud speaking users demand and everyone else has to pay for it.

at least you seem to do code optimization which never happens with companies like Adobe or Microsoft

I'm having the exact same problem. Using version 4 of 1Password as well. The browser extension does nothing... It feels as if 1Password is forcing us to upgrade. Not a good feeling, especially for us that are with 1Password since the beginning.

To be honest, if we forced users to upgrade, I wouldn't be working here. I'll quote one of my colleagues from a similar forum thread:

Google recently updated Chrome's signing certificate starting with Chrome 72, which means 1Password 4 can no longer recognize it. We will not be updating 1Password 4 to address this. While we're happy to continue helping folks out with 1Password 4 and totally understand that not everyone will want to upgrade to 1Password 7, we need to keep looking forward from a development perspective. There will come various points as 1Password 4 ages where certain things will just stop working as the world changes around it. If you'd like to stick with 1Password 4, you still have options for saving and filling in other web browsers, but Chrome 72+ will only work with 1Password 7.

@LilliZ, @cyphix333, @bluon: I understand that you might not like the subscription based model, which is why we have standalone licenses. A standalone license is $64.99, and can be purchased through the 1Password 7 app. When asked to subscribe, click the Need a license? We have those too link on that page. If you have any trouble upgrading, contact us and we'll help you out.

And how long will you continue to support v7?

While I can't give you a specific date, I think you could expect 1Password 7 to at least have the same running time as 1Password 4. Please note that even though we're not releasing any updates, we still offer customer support for 1Password 4, and the extension works with browsers other than Google Chrome.

@LilliZ, @cyphix333, @bluon: I understand that you might not like the subscription based model, which is why we have standalone licenses. A standalone license is $64.99, and can be purchased through the 1Password 7 app. When asked to subscribe, click the Need a license? We have those too link on that page. If you have any trouble upgrading, contact us and we'll help you out.

I didn't know you still offered standalone licenses, thanks for that However, it would be nice if you offered a discount for current license holders; I can't remember what I paid initially, but think it was $49 or something; why do I have to pay the same amount as someone else that hasn't purchased a license before? Many software companies offer discounts for things like this.

Same thing could happen with V7 - buy that, and then have to pay full price for the next version

@cyphix333@Daniel69: Thanks for voicing your opinions, I understand why you feel that way. While I can help get you settled into a 1Password membership and make the transition easier on your wallet, we can't offer discounts for the standalone version of 1Password.

I'm sorry I'm not able to give you the answer you were looking for. <personal opinion> I hope you will consider a 1Password membership one day, as it truly is the best way to use 1Password, and that's coming from a person that isn't fond of subscriptions. </personal opinion>

I am having the same issue on my windows computer. The extension is working on chrome on my mac, just not on my windows computer. I sent in the diagnostics report and the support ID is #JPG-27827-217. Please advise as this is most inconvenient.

Hi there @Sibler. I've just checked the email you sent us, and it seems one of my colleagues replied to you. It looks like you're running 1Password 4, so the same response as my message above applies here as well.

Same issue here. There should be some kind of official "end of life" communication on the main page for long-time 1Password4 users, as the website still lets you download the version, but doesn't indicate the default options are no longer usable in Chrome: https://1password.com/downloads/windows/

Having to re-up at $70 is a big pill to swallow. What makes me uneasy about the new system is the centralized account. Am I still able to create local vaults, and can I still choose the mechanism to use to distribute my vaults to other machines? Without trawling through the forums, the new "getting started" flows don't make it clear if my passwords will be stored or sent through your servers first.

@whunt: 1Password 7 is the current version. Our website reflects that. I'm not sure what you mean by "default options" but as mentioned already, there are a number of other browsers whose code signatures have not change and therefore will still work with 1Password 4. We don't sell anything for 70$US, but certainly we do need to charge money for the work we do or there would be no updates at all; we'd have to find other work. Passwords are never sent to us or stored on our servers, only encrypted data, to which only you have the "keys". If you're interested in how it works, be sure to check out the security white paper and let us know if you have any questions.

@brenty I understand the 1Password 7 is current, and 4 is so old that your current licenses don't support it. Just suggesting updating the bit on the page that mentions 1Password 4 to a KB article (or this discussion) for how to make it work with Chrome. It's not a big deal.

We don't sell anything for 70$US

I was referencing a previous comment from ag_sebastian about $65 standalone license. Sorry I rounded up and confused the issue.

certainly we do need to charge money for the work we do or there would be no updates at all

Totally understood. It's the common licensing problem nowadays. When a user pays a flat price for something and is unhappy when the product moves on and leaves them behind. I'm one of those users, and am aware of this, but it's still frustrating when it happens. I am quite pleased to see active AgileBits contributors on this board explaining the situation. Thank you!

If you're interested in how it works, be sure to check out the security white paper

Oh, wow! This is an amazing document! Still WIP obviously, but an attempt at conversational tone for something as complicated as encryption is pretty awesome. I learned a lot about the fundamentals reading that paper! And the transparency by which your authentication and encryption techniques operate is also commendable.

That said, you DO store the (encrypted) vault items in your servers and admit the service is vulnerable to a MitM attack if your servers are compromised. That's a concerning shift for a long-time user that specifically chose 1Password tech because I could keep my vault completely local and choose if and how to distribute my vault. I think for now I will continue using 1Password 4 and mull over other vendors offers to see what range of offerings are out there nowadays. I haven't checked in years because 1Password really seemed to fit all my needs and not try to be much more (sharing vaults, team accounts, etc)...

I understand the 1Password 7 is current, and 4 is so old that your current licenses don't support it. Just suggesting updating the bit on the page that mentions 1Password 4 to a KB article (or this discussion) for how to make it work with Chrome. It's not a big deal.

@whunt: Ah, thanks for clarifying. It's something we'll look into. We just want to avoid causing confusion for even more people if we can help it.

I was referencing a previous comment from ag_sebastian about $65 standalone license. Sorry I rounded up and confused the issue.

Gotcha. But we haven't sold any 1Password 7 licenses for 65$US to date, as it's still being offered at the initial discount as mentioned in the announcement.

Totally understood. It's the common licensing problem nowadays. When a user pays a flat price for something and is unhappy when the product moves on and leaves them behind. I'm one of those users, and am aware of this, but it's still frustrating when it happens. I am quite pleased to see active AgileBits contributors on this board explaining the situation. Thank you!

Thank you for your support, and for coming to us in the first place! It isn't often discussed, but if you think about it, a membership subscription helps with that problem. I know I've purchased software and regretted it at times, and it can be a disappointment (not to mention a hit to the finances). But with a membership you have 30 days to try it for free, and if you pay monthly you can quit at any time if you find it isn't a good fit for you, without the initial outlay of an upfront license fee or annual subscription. Something to consider.

Oh, wow! This is an amazing document! Still WIP obviously, but an attempt at conversational tone for something as complicated as encryption is pretty awesome. I learned a lot about the fundamentals reading that paper! And the transparency by which your authentication and encryption techniques operate is also commendable.

Thank you for reading it! I know it's not necessarily the most exciting thing for everyone, so I'm glad you did, and got something out of it. We want to be upfront about how we secure our customers' data so people can have peace of mind, and so that security researchers can continue to poke away at our stuff to find things that could be improved. But at its core, our security model involves not having our customers' secrets in the first place, so that even if we turn evil or are used by someone else to get to our customers, we don't have the "keys" to anyone's data. We use 1Password too, so we also want to make sure that each of us individually are the only ones with the means to decrypt our own data.

That said, you DO store the (encrypted) vault items in your servers and admit the service is vulnerable to a MitM attack if your servers are compromised. That's a concerning shift for a long-time user that specifically chose 1Password tech because I could keep my vault completely local and choose if and how to distribute my vault. I think for now I will continue using 1Password 4 and mull over other vendors offers to see what range of offerings are out there nowadays. I haven't checked in years because 1Password really seemed to fit all my needs and not try to be much more (sharing vaults, team accounts, etc)... If I'm misunderstanding the 4 vs 7 tech, please let me know, and thanks for the links!

Seriously, thank you for using 1Password in the first place, and taking an active role in your security. Not everyone does that, so we take the job of making 1Password not only secure but also as seamless as possible very seriously. If it helps (and I think it does), even with the hosted service your data is encrypted locally using "keys" only you possess -- the Master Password, which you choose; and the Secret Key, which is 128 bits randomly generated on your device when you setup the account -- and they are never sent to us. So, quite literally, you are the only person with the means to decrypt your data (unless you give that information to someone else).

As far as a person-in-the-middle, while we cannot control what goes on in your system, we go to a lot of trouble on our end to avoid that by restricting the secure communications protocols used (to prevent downgrade attacks). You can find a fair amount of people posting on this forum because they've installed "security" software that performs a person-in-the-middle attack on them to scan their traffic, and our server rejects the connection as a result. So although we cannot prevent you from installing malware accidentally and/or giving your "keys" away, we do what we can to help.

I think these (among others) are good reasons to use 1Password, but it's also always a good thing to look at the alternatives. It's better that you be happy with what you're using, whether that be 1Password or something else, because of an informed decision, rather than just choosing us by default (though that's flattering!) And if you have any questions at all, just let us know.

As far as a person-in-the-middle, while we cannot control what goes on in your system, we go to a lot of trouble on our end to avoid that by restricting the secure communications protocols used (to prevent downgrade attacks).

While my own machine being compromised is a serious issue (and quite possibly much more likely than 1Password's own security being penetrated), I was referring to the section in Appendix A entitled "No Public Key Verification", which is further expounded upon in Appendix E. This refers to 1Passwords own servers being potentially compromised where a malicious intruder could passively observe users and collect vault secrets without them being aware. Presumably if such an insidious intrusion occurred, 1Password might not even be aware of it for some time. In this world of WHEN not IF a data breach will occur, this can make folks pretty nervous, because every time I talk to 1Password servers, I can't be completely sure an intruder is not passively attacking your system in this way. Sure my secret keys wouldn't be compromised, but my vault will be.

Appendix E describes this as "notoriously difficult to address" with "no good solutions in general", which all seems true and understandable. Of course the solution is to NOT store vault items in a central server! Which is of course what 1Password used to do! Of course you ALSO can't securely implement features like team vaults, sharing, recovery groups, etc, other features that 1Password has developed to add value to the product. Just a tradeoff, I guess. The pathway 1Password is on now is a better business model for sure, as you can more easily justify a subscription service when hosting the solution for the user.

While my own machine being compromised is a serious issue (and quite possibly much more likely than 1Password's own security being penetrated), I was referring to the section in Appendix A entitled "No Public Key Verification", which is further expounded upon in Appendix E. This refers to 1Passwords own servers being potentially compromised where a malicious intruder could passively observe users and collect vault secrets without them being aware.

@whunt: Ah! Thanks for clarifying. Indeed, there isn't a mechanism for us to prevent someone malicious from creating a fake 1Password site. In that case, signing in there in your browser would allow them to collect your credentials. The defense against that can only be on your end, in that you can verify the server and certificate you're connecting to.

Presumably if such an insidious intrusion occurred, 1Password might not even be aware of it for some time. In this world of WHEN not IF a data breach will occur, this can make folks pretty nervous, because every time I talk to 1Password servers, I can't be completely sure an intruder is not passively attacking your system in this way. Sure my secret keys wouldn't be compromised, but my vault will be.

To be clear, that wouldn't be a data breach on our end. On the server, there only exists encrypted data. So while that could potentially be stolen, the attacker would need to get the "keys" to decrypt it from you.

But in the case of the 1Password app talking to the server...well, it won't talk to an impostor, and the app itself is code signed so that you can verify that it came from us. The risk of an attacker collecting your account credentials as a person-in-the-middle does not exist in this case since the 1Password apps do not ever send secrets (and if the connection cannot be verified on both ends, it will be rejected anyway), only a cryptographic verifier (which an impostor would not be able to verify). You may want to check out Rick's blog post on our Secure Remote Password implementation for more details:

Sorry to dump more reading materials on you, but if you enjoyed the white paper you'll surely enjoy this too. Coll stuff!

Appendix E describes this as "notoriously difficult to address" with "no good solutions in general", which all seems true and understandable. Of course the solution is to NOT store vault items in a central server! Which is of course what 1Password used to do! Of course you ALSO can't securely implement features like team vaults, sharing, recovery groups, etc, other features that 1Password has developed to add value to the product. Just a tradeoff, I guess. The pathway 1Password is on now is a better business model for sure, as you can more easily justify a subscription service when hosting the solution for the user.

While there are certainly challenges and risks that must be mitigated wherever possible, I don't think it can be stressed enough that in not having 1Password users' unencrypted data or the keys to the encrypted data sent to us ever means that we simply don't have what attackers would need to access 1Password users' secrets on a "centralized server". And the (128-bit, randomly-generated) Secret Key exists so that even if encrypted data is stolen from us, it is not possible to perform a brute-force attack against a user's Master Password, since the Secret Key is also required for decryption. So an attacker would really need to go after you in order to gain access to your data, since only you have the keys to it. Compare that with using local vaults with the "standalone" app, where you have a similar situation. So while there is no such thing as perfect security, we've gone to a lot of trouble to ensure that an attacker would need to go to a lot more in order to be able to compromise a 1Password user's data.

there isn't a mechanism for us to prevent someone malicious from creating a fake 1Password site.

...

I don't think it can be stressed enough that in not having 1Password users' unencrypted data or the keys to the encrypted data sent to us ever means that we simply don't have what attackers would need to access 1Password users' secrets on a "centralized server".

As far as I can tell, Appendix E is not talking about me accidentally being redirected to a fake site. It's talking about the actual 1Password servers being compromised by a malicious intruder, who then sets up a MitM attack from within the 1Password ecosystem. Story 10 on Page 66 walks through the scenario, concluding:

Mr. Talk was able to learn the secrets that Patty sent to
Molly, but he was not able to learn the secret parts of
their public keys.

From my admittedly brief perusal of this doc today, it looks to me that the attacker COULD in fact learn the vault keys and decrypt my data WITHOUT KNOWING MY SECRETS, by sending me a fake key that the attacker knows the private key for. This allows the MitM attacker to decrypt the traffic between the two parties (the vault key) and neither would be the wiser. Am I misunderstanding that scenario?

[And I did read the SRP blog. It's substantively the same as much of what is already in the white paper, but does expound a little more on it. Thanks!]

As far as I can tell, Appendix E is not talking about me accidentally being redirected to a fake site. It's talking about the actual 1Password servers being compromised by a malicious intruder, who then sets up a MitM attack from within the 1Password ecosystem. Story 10 on Page 66 walks through the scenario, concluding:

Mr. Talk was able to learn the secrets that Patty sent to Molly, but he was not able to learn the secret parts of their public keys.

Indeed, if someone malicious were able to take over our server entirely, they could send you their own "1Password" web app and collect whatever you send to them. That's why we have security measures in place to prevent that from happening. Apart from our own efforts, we participate in external audits and cooperate with independent security researchers to find any flaws so we can fix them.

Since you were talking about a person-in-the-middle though, I focused on the slightly different scenario of someone running their own "1Password" server and directing you to it. As I mentioned earlier:

you can verify the server and certificate you're connecting to.

As that would be easier to pull off than someone taking us over completely. The trick would be to get your device to believe this was a legitimate connection, or to fool you into not noticing it wasn't. And that would only apply to the web interface. If you're using the 1Password app,

it won't talk to an impostor ["1Password" server, or our actual server if its behavior has been modified], and the app itself is code signed so that you can verify that it came from us.

Any impostor would not have the ability to understand the information the app is sending to it in order to actually setup a 1Password session with you, and the app would reject the connection because the host cannot therefore be verified.

From my admittedly brief perusal of this doc today, it looks to me that the attacker COULD in fact learn the vault keys and decrypt my data WITHOUT KNOWING MY SECRETS, by sending me a fake key that the attacker knows the private key for. This allows the MitM attacker to decrypt the traffic between the two parties (the vault key) and neither would be the wiser. Am I misunderstanding that scenario?

If you were signing up for a new account with a phony "1Password" server, then yes. But if you already have an account, and therefore keys, an impostor can't just send you new ones they made up themselves. They'd need to successfully authenticate with your client first, and then negotiate the new keys -- which would allow them to access future data you send them, but not existing data (which was encrypted with the original keys). At that point, it's not a person-in-the-middle attack, but rather you have an actual account with some service other than 1Password and you're sending information directly to them. And while a web client delivered to you by the attacker will not complain about new key negotiation, a client from us (say, 1Password for Mac ) will not accept that because the server cannot be authenticated. That would send up a lot of red flags.

[And I did read the SRP blog. It's substantively the same as much of what is already in the white paper, but does expound a little more on it. Thanks!]

@brenty, thanks so much again for the detailed response! I love that 1Password is willing to have open dialog and be frank about what scenarios can and cannot be protected by the service. I really appreciate your support.

I'm having a similar problem with my 1Password Chrome extension not working. When I click the 1Password extension icon, nothing happens. When I do the keyboard shortcut to auto fill, nothing happens. Although I did notice when I tried to login to my account here, it asked me to unlock my vault, even though it was already unlocked.

As you're running 1Password 4 for Windows you will want to read our post, 1Password 4 for Windows no longer fills in Chrome 72 as it applies to you. The brief overview is 1Password 4 can no longer verify Chrome as a legitimate copy of Chrome and so it refuses the connection. If you have any questions please let us know.

The latest version of 1Password for Mac and Windows is 1Password 7, right? However 1Password 7 requires at least macOS Sierra. Being on El Capitan, I unable to use 1Password 7 (using 1Password 6 on my Mac). I am, however, able to use 1Password 7 on my Windows PC, since I'm on Windows 10.

With that said, would 1Password 6 on my Mac be compatible with 1Password 7 on my Windows PC as well as my iPad (iOS 12.1 with 1Password 7) and Android phone (Android 8.1 and 1Password 7)?